LDAP: Disable feature on externalized user (+fields)

tracim/tracim/controllers/__init__.py

@@ -126,6 +126,7 @@ class TIMRestController(RestController, BaseController):
         :param kw:
         :return:
         """
+        super()._before(*args, **kw)
         TIMRestPathContextSetup.current_user()
 
 
@@ -468,6 +469,7 @@ class StandardController(BaseController):
         :param kw:
         :return:
         """
+        super()._before(*args, **kw)
         TIMRestPathContextSetup.current_user()
 
     @classmethod

tracim/tracim/controllers/user.py

@@ -1,4 +1,5 @@
 # -*- coding: utf-8 -*-
+from webob.exc import HTTPForbidden
 
 from tracim import model  as pm
 
@@ -93,11 +94,17 @@ class UserPasswordRestController(TIMRestController):
 
     @tg.expose('tracim.templates.user_password_edit_me')
     def edit(self):
+        if not tg.config.get('auth_is_internal'):
+            raise HTTPForbidden()
+
         dictified_user = Context(CTX.USER).toDict(tmpl_context.current_user, 'user')
         return DictLikeClass(result = dictified_user)
 
     @tg.expose()
     def put(self, current_password, new_password1, new_password2):
+        if not tg.config.get('auth_is_internal'):
+            raise HTTPForbidden()
+
         # FIXME - Allow only self password or operation for managers
         current_user = tmpl_context.current_user
 
@@ -130,6 +137,10 @@ class UserRestController(TIMRestController):
     password = UserPasswordRestController()
     workspaces = UserWorkspaceRestController()
 
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self._auth_instance = tg.config.get('auth_instance')
+
     @classmethod
     def current_item_id_key_in_context(cls):
         return 'user_id'
@@ -174,9 +185,29 @@ class UserRestController(TIMRestController):
         current_user = tmpl_context.current_user
         assert user_id==current_user.user_id
 
+        # Only keep allowed field update
+        updated_fields = self._clean_update_fields({
+            'name': name,
+            'email': email
+        })
+
         api = UserApi(tmpl_context.current_user)
-        api.update(current_user, name, email, True)
+        api.update(current_user, do_save=True, **updated_fields)
         tg.flash(_('profile updated.'))
         if next_url:
             tg.redirect(tg.url(next_url))
         tg.redirect(self.url())
+
+    def _clean_update_fields(self, fields: dict):
+        """
+        Remove field key who are not allowed to be updated
+        :param fields: dict with field name key to be cleaned
+        :rtype fields: dict
+        :return:
+        """
+        if not self._auth_instance.is_internal:
+            externalized_fields_names = self._auth_instance.managed_fields
+            for externalized_field_name in externalized_fields_names:
+                if externalized_field_name in fields:
+                    fields.pop(externalized_field_name)
+        return fields

tracim/tracim/lib/auth/base.py

@@ -29,16 +29,30 @@ class Auth:
     """ Auth strategy must be named: .ini config will use this name in auth_type parameter """
     name = NotImplemented
 
+    """ When Auth is not internal, user account management are disabled (forgotten password, etc.) """
+    _internal = NotImplemented
+
     def __init__(self, config):
         self._config = config
+        self._managed_fields = []
+
+    @property
+    def is_internal(self):
+        return bool(self._internal)
 
-    def wrap_config(self):
+    @property
+    def managed_fields(self):
+        return self._managed_fields
+
+    def feed_config(self):
         """
         Fill config with auth needed. You must overload with whild implementation.
         :return:
         """
         self._config['sa_auth'] = _get_clean_sa_auth(self._config)
 
+        self._config['auth_is_internal'] = self.is_internal
+
         # override this if you would like to provide a different who plugin for
         # managing login and logout of your application
         self._config['sa_auth'].form_plugin = None

tracim/tracim/lib/auth/internal.py

@@ -9,14 +9,14 @@ from tracim.model import DBSession, User
 class InternalAuth(Auth):
 
     name = 'internal'
+    _internal = True
 
-    def wrap_config(self):
+    def feed_config(self):
         """
         Fill config with internal (database) auth information.
         :return:
         """
-        super().wrap_config()
-
+        super().feed_config()
         self._config['sa_auth'].user_class = User
         self._config['auth_backend'] = 'sqlalchemy'
         self._config['sa_auth'].dbsession = DBSession

tracim/tracim/lib/auth/ldap.py

@@ -16,6 +16,7 @@ class LDAPAuth(Auth):
 
     """
     name = 'ldap'
+    _internal = False
 
     def __init__(self, config):
         super().__init__(config)
@@ -23,9 +24,10 @@ class LDAPAuth(Auth):
         self.ldap_user_provider = self._get_ldap_user_provider()
         if ini_conf_to_bool(self._config.get('ldap_group_enabled', False)):
             self.ldap_groups_provider = self._get_ldap_groups_provider()
+        self._managed_fields = self.ldap_user_provider.local_fields
 
-    def wrap_config(self):
-        super().wrap_config()
+    def feed_config(self):
+        super().feed_config()
         self._config['auth_backend'] = 'ldapauth'
         self._config['sa_auth'].authenticators = [('ldapauth', self.ldap_auth)]
 
@@ -155,3 +157,10 @@ class LDAPAttributesPlugin(BaseLDAPAttributesPlugin):
         super().add_metadata(environ, identity)
         # TODO - B.S. - 20160212: identity contains now som information from LDAP what we can save in local database
         identity[self.name] = self._user_api.get_one_by_email(identity.get('repoze.who.userid'))
+
+    @property
+    def local_fields(self):
+        """
+        :return: list of ldap side managed field names
+        """
+        return list(self._attributes_map.values())

tracim/tracim/lib/auth/wrapper.py

@@ -6,21 +6,19 @@ from tracim.lib.auth.ldap import LDAPAuth
 class AuthConfigWrapper:
 
     # TODO: Dynamic load, like plugins ?
-    AUTH_WRAPPERS = (InternalAuth, LDAPAuth)
-    EXTERNAL_AUTHS = (LDAPAuth,)
+    AUTH_CLASSES = (InternalAuth, LDAPAuth)
 
     @classmethod
     def wrap(cls, config):
-        wrapper_class = cls._get_wrapper_class(config)
-        wrapper = wrapper_class(config)
-        wrapper.wrap_config()
-        return config
+        auth_class = cls._get_auth_class(config)
+        config['auth_instance'] = auth_class(config)
+        config['auth_instance'].feed_config()
 
     @classmethod
-    def _get_wrapper_class(cls, config):
-        for wrapper_class in cls.AUTH_WRAPPERS:
-            if wrapper_class.name is NotImplemented:
-                raise Exception("\"name\" attribute of %s is required" % str(wrapper_class))
-            if config.get('auth_type') == wrapper_class.name:
-                return wrapper_class
+    def _get_auth_class(cls, config):
+        for auth_class in cls.AUTH_CLASSES:
+            if auth_class.name is NotImplemented:
+                raise Exception("\"name\" attribute of %s is required" % str(auth_class))
+            if config.get('auth_type') == auth_class.name:
+                return auth_class
         raise Exception("No auth config wrapper found for \"%s\" auth_type config" % config.get('auth_type'))

tracim/tracim/lib/base.py

@@ -31,6 +31,10 @@ class BaseController(TGController):
         tmpl_context.identity = request.identity
         return TGController.__call__(self, environ, context)
 
+    def _before(self, *args, **kwargs):
+        tmpl_context.auth_is_internal = tg.config.get('auth_is_internal')
+        tmpl_context.auth_instance = tg.config.get('auth_instance')
+
     @property
     def parent_controller(self):
         possible_parent = None

tracim/tracim/lib/helpers.py

@@ -210,3 +210,9 @@ def ini_conf_to_bool(value):
     if value in ('False', 'false', '0', 'off', 'no'):
         return False
     return bool(value)
+
+
+def is_user_externalized_field(field_name):
+    if not tg.config.get('auth_instance').is_internal:
+        return field_name in tg.config.get('auth_instance').managed_fields
+    return False

tracim/tracim/lib/user.py

@@ -27,9 +27,13 @@ class UserApi(object):
     def get_one_by_email(self, email: str):
         return self._base_query().filter(User.email==email).one()
 
-    def update(self, user: User, name: str, email: str, do_save):
-        user.display_name = name
-        user.email = email
+    def update(self, user: User, name: str=None, email: str=None, do_save=True):
+        if name is not None:
+            user.display_name = name
+
+        if email is not None:
+            user.email = email
+
         if do_save:
             self.save(user)
 

tracim/tracim/templates/user_toolbars.mak

@@ -15,7 +15,11 @@
                 endif
             %>
         <a title="${_('Edit current user')}" class="btn btn-default" data-toggle="modal" data-target="#user-edit-modal-dialog" data-remote="${user_edit_url}" >${ICON.FA('fa-edit t-less-visible')} ${_('Edit user')}</a>
-            <a title="${_('Change password')}" class="btn btn-default" data-toggle="modal" data-target="#user-edit-password-modal-dialog" data-remote="${user_password_edit_url}" >${ICON.FA('fa-key t-less-visible')} ${_('Password')}</a>
+
+            % if auth_is_internal:
+                <a title="${_('Change password')}" class="btn btn-default" data-toggle="modal" data-target="#user-edit-password-modal-dialog" data-remote="${user_password_edit_url}" >${ICON.FA('fa-key t-less-visible')} ${_('Password')}</a>
+            % endif
+
         </div>
         <p></p>
         % if current_user.profile.id>2 and current_user.id!=user.id:
@@ -40,7 +44,11 @@
                 user_password_edit_url = tg.url('/user/{}/password/edit'.format(current_user.id))
             %>
             <a title="${_('Edit my profile')}" class="btn btn-default" data-toggle="modal" data-target="#user-edit-modal-dialog" data-remote="${user_edit_url}" >${ICON.FA('fa-edit t-less-visible')} ${_('Edit my profile')}</a>
-            <a title="${_('Change password')}" class="btn btn-default" data-toggle="modal" data-target="#user-edit-password-modal-dialog" data-remote="${user_password_edit_url}" >${ICON.FA('fa-key t-less-visible')} ${_('Password')}</a>
+
+            % if auth_is_internal:
+                <a title="${_('Change password')}" class="btn btn-default" data-toggle="modal" data-target="#user-edit-password-modal-dialog" data-remote="${user_password_edit_url}" >${ICON.FA('fa-key t-less-visible')} ${_('Password')}</a>
+            % endif
+
         </div>
         <p></p>
         <h3 class="t-spacer-above" style="margin-top: 1em;">

tracim/tracim/templates/user_workspace_forms.mak

@@ -98,11 +98,11 @@
         <div class="modal-body">
             <div class="form-group">
                 <label for="name">${_('Name')}</label>
-                <input name="name" type="text" class="form-control" id="name" placeholder="${_('Name')}" value="${user.name}">
+                <input name="name" type="text" class="form-control" id="name" placeholder="${_('Name')}" value="${user.name}" ${'readonly="readonly"' if h.is_user_externalized_field('name') else ''}>
             </div>
             <div class="form-group">
                 <label for="email">${_('Email')}</label>
-                <input name="email" type="text" class="form-control" id="email" placeholder="${_('Name')}" value="${user.email}">
+                <input name="email" type="text" class="form-control" id="email" placeholder="${_('Name')}" value="${user.email}" ${'readonly="readonly"' if h.is_user_externalized_field('email') else ''}>
             </div>
         </div>
         <div class="modal-footer">